New York Department of Financial Services (DFS) releases new cybersecurity regulations

Authored by: Brian Lane

DFS just issued proposed cybersecurity regulations that have been in draft form for some time. The proposed regulations released on September 13, 2016 go into effect January 1, 2017 with a 180 day transitional period to fully comply – a relatively short time frame for compliance considering the difficulty of implementing specific requirements, some of which are described below. While many of the requirements are similar to other regulations, there are some notable highlights:

  1. Annual penetration testing and quarterly vulnerability assessments will be required. While these types of tests have been relatively common and in use for some time, generally regulations are written so that these techniques are only “considered” as part of an overall cyber program. Quarterly vulnerability assessments present a significant amount of work to plan, execute, and report.
  2. Use of multi-factor authentication (MFA) for privileged access to internal systems and remote access. In addition to passwords, MFA also requires at least one additional identity verification based on something the user possesses (usually a smart card or fob with expiring codes). Many observers have stated that passwords no longer provide sufficient security as the primary or only access control mechanism. DFS has now made their feelings regarding password security very clear. While many banks have used MFA for years, other organizations may find this requirement relatively difficult to implement and administer within the limited time prior to the compliance deadline. 
  3. Mandatory use of encryption for all nonpublic information held by an organization or transmitted. While DFS has granted delayed implementation dates for this particular requirement – in transit data encryption can be implemented one year from the effective date and at rest data five years – enterprise wide implementation of a comprehensive encryption program is a significant project.  
  4. Either the Board of Directors, or an appropriate senior officer must certify annually that the organization is in compliance with the regulation. While cyber issues have been on boards’ agendas for some time, this is the first requirement demanding that the Board or a senior officer formally certify compliance. The first certification will be due to the DFS by January 15, 2018.

Organizations will need to perform an assessment of their readiness, and rapidly plan for full scale implementation of the requirements in the DFS regulation.

For more information on regulatory compliance, or to learn how Baker Tilly's financial services specialists can help, contact our team.